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Abstract. In this paper, we study the model-checking and parameter synthesis problems 
of the logic TCTL over discrete-timed automata where parameters are allowed both in 
the model (timed automaton) and in the property (temporal formula). Our results are as 
follows. On the negative side, we show that the model-checking problem of TCTL extended 
with parameters is undecidable over discrete-timed automata with only one parametric 
clock. The undecidability result needs equality in the logic. On the positive side, we show 
that the model-checking and the parameter synthesis problems become decidable for a 
fragment of the logic where equality is not allowed. Our method is based on automata 
theoretic principles and an extension of our method to express durations of runs in timed 
automata using Presburger arithmetic. 



In this paper, we further investigate the model-checking problem of real-time formalisms 
with parameters. In recent works, parametric real-time model-checking problems have been 
studied by several authors. 

Alur et al study in [2] the analysis of discrete- and dense-timed automata where clocks 
are compared to parameters. For this class of parametric timed automata, they focus on 
the emptiness problem: are there concrete values for the parameters so that the automaton 
has an accepting run? They show that when only one clock is compared to parameters, the 
emptiness problem is decidable. But this problem becomes undecidable when three clocks 
are compared to parameters^ Hune et al study in [9] a subclass of parametric dense-timed 
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Figure 1: A parametric timed automaton 

automata (L/U automata) such that each parameter occurs either as a lower bound or as 
an upper bound. 

Wang in [12], [13], Emerson et al in [8], Alur et al in [3] and the authors of this paper in [5] 
study the introduction of parameters in temporal logics. The model-checking problem for 
TCTL extended with parameters over discrete- and dense-timed automata (without param- 
eters) is decidable. On the other hand, only a fragment of LTL extended with parameters 
is decidable. 

Unfortunately, in all those previous works, the parameters are only in the model (ex- 
pressed as a timed automaton) or only in the property (expressed as a temporal logic 
formula). Nevertheless, when expressing a temporal property of a parametric system, it is 
natural to refer in the temporal formula to the parameters used in the system. 

In this paper, we study the model-checking problem of the logic TCTL extended with 
parameters over the runs of a discrete-timed automaton with one parametric clock. To the 
best of our knowledge, this is the first work that studies the model-checking and parameter 
synthesis problems with parameters both in the model and in the property. We restrict 
to one parametric clock since the emptiness problem for discrete-time automata with three 
parametric clocks is already undecidable (see above, [2]). The case of dense-timed automata 
with one parametric clock is not investigated in this paper. 

Let us illustrate the kind of properties that we can express with a parametric temporal 
logic over a parametric timed automaton. The automaton A of Figure [His a discrete-timed 
automaton with one clock x and two parameters 0\ and #2- Here we explicitly model the 
elapse of time by transitions labeled by or 1. State go is labeled with atomic proposition a 
and in all other states this proposition is false. The possible runs of this automaton starting 
at qo are as follows. The control instantaneously leaves q$ and goes through q±,q2,q3 to 
come back in qo, the time spent in this cycle is constrained by the parameters B\ and 62- 
In fact, the control has to leave q\ at most 9\ time units after entering it and the control 
has to stay exactly #2 time units in state q%. To express properties of those behaviors, we 
use TCTL logic augmented with parameters. Let us consider the next three formulae for 
configuration (go,0), i.e. the control is in state qo and clock x has value 0: 

(i) VD(<7 -> V0<e 3 <x) 

(ii) V#iV# 2 • (62 <01^ VD(<7 VO<20 1+ 2^)) 
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(iii) V0i ■ (0i > 5 -> VD(a VO<20 1+ 2^)) 

The parameter synthesis problem associated to formula (i), asks for which values of 81,62 
and #3, the formula is TRUE at configuration (qo,0). By observing the model and the 
formula, we can deduce the following constraint on the parameters: 03 > 8\ + 82 + 2. This 
means that any cycle through the four states has duration bounded by 8\ + 82 + 2. Formula 
{%%) formalizes the next question "In all the cases where the value assigned to parameter 8\ 
is greater than the value assigned to parameter 82, is it true that any cycle has a duration 
bounded by 20i + 2". As there is no free parameter in the question, the question has a 
YES-NO answer. This is a model- checking problem. For formula (ii), the answer is yes in 
configuration (go, 0). Finally, formula (iii) lets parameter 82 free and formalizes the question 
"What are the possible values that can be given to 82 such that for any value of 8\ > 5, a 
cycle through the four states lasts at most 28i + 1 time units" . This is again a parameter 
synthesis problem and the answer is 82 < 4. 

In this paper, we study the algorithmic treatment of such problems. Our results are as 
follows. On the negative side, we show that the model-checking problem of TCTL extended 
with parameters is undecidable over timed automata with only one parametric clock. The 
undecidability result needs equality in the logic. On the positive side, we show that the 
model-checking problem becomes decidable and the parameter synthesis problem is solvable 
for a fragment of the logic where the equality is not allowed. Our algorithm is based on 
automata theoretic principles and an extension of our method (see [5]) to express durations 
of runs in a timed automaton using Presburger arithmetic. As a corollary, we obtain the 
decidability of the emptiness problem for discrete-timed automata with one parametric 
clock proved by Alur et al in [3]. All the formulae given in the example above are in the 
decidable fragment. 

The paper is organized as follows. In Section 2, we introduce the model of one paramet- 
ric clock discrete-timed automaton and the parametric extension of TCTL that we consider. 
In Section 3, we establish the undecidability of the model-checking problem if equality can 
be used in the logic and we show how to solve the problem algorithmically for a fragment 
of the logic where equality is not allowed. Proofs of two important propositions introduced 
in Section 3 are postponed to Section 4. We finish the paper in Section 5 by drawing some 
conclusions. 

2. Parameters Everywhere 

In this section, we introduce parameters in the automaton used to model the system as 
well as in the logic used to specify properties of the system. The automata are parametric 
timed automata as defined in [2] with a discrete time domain and one parametric clock. 
The logic is Parametric Timed CTL Logic as defined in [5]. We introduce the problems 
that we want to solve and we conclude the section with an example. 

Notation 2.1. Let O be a fixed finite set of parameters 8 that are shared by the automaton 
and the logical formulae. A parameter valuation for O is a function v : Q — > N which 
assigns a natural number to each parameter 8 € O. In the sequel, a,/3,... mean any linear 
term Ej 6 jCj0j + c, with a, c € N and {8{\i E 1} C ©. A parameter valuation v is naturally 
extended to linear terms by defining v (c) = c for any c € N. 

We denote by x the unique parametric clock. The same notation x is used for both the clock 
and a value of the clock. A guard g is any conjunction of x ~ a with ~ £ {=, <, <, >, >}. 
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We denote by G the set of guards. Notation x \= v g means that x satisfies g under valuation 
v . We use notation £ for the set of atomic propositions. 

2.1. Parametric Timed Automata. We recall the definition of one parametric clock 
discrete-timed automata as introduced in [2]. 

We make the hypothesis that non-parametric clocks have all been suppressed by a 
technique related to the region construction, see [2] for details. 

Definition 2.2. A parametric timed automaton A is a tuple {Q,E, L, I), where Q is a finite 
set of states, £CQx{0,l}xGx 2^ x Q is a finite set of edges, L : Q — > 2 is a labeling 
function and I : Q — * G assigns an invariant 1(g) G G to each state q. 
A configuration of A is a pair (q,x), where q is a state and x is a clock value. 

Whenever a parameter valuation v is given, A becomes a usual one-clock timed au- 
tomaton denoted by A^ . We recall the next definitions of transition and run in A^ . 

Definition 2.3. Let v be a parameter valuation. A transition (q,x) — > (q',x') between 
two configurations (q,x) and (q',x r ), with time increment r S {0, 1}, is allowed in A v if (1) 
x \=v Kq) an d x' \= v \(q'), (2) there exists an edge (q,T,g,r,q') € E such that x + t \= v g 
and x' = if r = {x}, a/ = x + r if r = 00 

A ran p = (qi,Xi)i>o of A 1 ' is an infinite sequence of transitions (qi,Xi) -A {qi + \,Xi + \) 
such that Hj>oTj = ooJH The duration t = D p (qi,Xi) at configuration (qi,Xi) of /? is equal 
to t = Xo<j<iTj. A finite run p is a finite sequence of transitions. It is shortly denoted 
by (q,x) (q',%') such that (q,x) (resp. (q',x')) is its first (resp. last) configuration. Its 
duration D p is equal to D p (q',x'). 

2.2. Parametric Timed CTL Logic. Formulae of Parametric Timed CTL logic, PTCTL 
for short, are formed by a block of quantifiers over some parameters followed by a quantifier- 
free temporal formula. They are defined as follows. Notation a means any atomic proposi- 
tion a G S and a, (3 are linear terms as before. 

Definition 2.4. A PTCTL formula / is of the form 

/ = Q\Q\ ■ ■ ■ QkOk f 

such that k > 0, . . . , 9^} C 0, Qj G {3, V} for each j, 1 < j < k, and ip is given by the 
following grammar 

(p ::= <7 | a ~ /? | ->(p \ (p V y | 30 V I y3U^Q,99 | (/jVU^q,^ 

Note that usual operators 3U and VU are obtained as 3U>o and VU>o- We also use the 
following abbreviations: 30~ Q v? for T3U^ Q <£>, V<0~a93 for TVU^ a (^, 3\H^ a (p for -'V0~a _, y, 
and VTZLq,^ for -i30~a _, y. 

We use notation QF-PTCTL for the set of quantifier-free formulae ip of PTCTL. The 
set of parameters of that are free in /, that is, not under the scope of a quantifier, is 
denoted by 0j. Thus, for a QF-PTCTL formula (p, we have 0^, = (recall that is the 
set of parameters that appear in the formula and in the automaton). 

n 

Note that time increment r is first added to x, guard g is then tested, and finally x is reset according 
to r. 

■^Non Zenoness property. 
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We now give the semantics of PTCTL. 

Definition 2.5. Let A be a parametric timed automaton and (g, x) be a configuration of A. 
Let / = Qi6\ ■ ■ ■ Qk&k V be a PTCTL formula. Given a parameter valuation v on Qf, the 
satisfaction relation (g, x) \= v f is defined inductively as follows. If / = ip, then (q, x) \= v ip 
according to the following rules: 

• (q, x) \= v a iff there exists^ a run p = (g^, Xj)i>o in A v with (g, x) = (go, ^0) and o~ € L(g) 

• (q,x) \= v a ~ iff there exists a run p = (gj,Xi)j>o in A v with (q,x) = (go,^o) an d 
v(a) ~ v{(5) 

• (q,x) \= v -up iff (q,x) ^ </? 

• (g, x) \= v ip V ip iff (g, a?) |= v ^ or (g, x) |=„ V 

• (g,x) |=„ 3 V iff there exists a run p = (gj,Xj)j>o in A v with (q,x) = (qo,%o) an d 
(qi,x{) \= v 

• (g, x) \= v ip3\J^ a ip iff there exists a run /) = (gi,Xj)j>o in A" with (g, x) = (qo,xo), there 
exists i > such that D p (gj,Xj) ~ f(a), (g«,Xj) |=„ V an d (qj,xj) \= v ip for all j < i 

• (q,x) (=„ (^VU^a^ iff for any run /? = (gj,Xj)j>o in A 11 with (g, x) = (go,xo), there exists 
i > such that D p (gj,Xj) ~ f (a), (gi,Xj) (=„ ?/> and (qj,Xj) \= v ip for all j < i 

If / = 36*/', then (g, x) |=„ / iff there exists c G N such that (g, x) \= v > f where v' is defined 
on 9// by v' = v on 9/ and v'(6) = c. If / = V0/', then (g,x) \= v / iff for all c E N, 
(g, x) \= v i f where v' is defined on 9/' by v' = v on 9/ and v'{6) = c. 



2.3. Problems. The problems that we want to solve in this paper are the following ones. 
The first problem is the model-checking problem for PTCTL formulae / with no free pa- 
rameters. In this case, we omit the index by v in the satisfaction relation (g, x) \= f since 
no parameter (neither in the automaton nor in the formula) has to receive a valuation. 

Problem 2.6. The model- checking problem is the following. Given a parametric timed 
automaton A and a PTCTL formula / such that Qf = 0, given a configuration (q,x) 
of A, does (g, x) (= / hold ? 

The second problem is the more general problem of parameter synthesis for PTCTL 
formulae / such that Qf is any subset of 9. 

Problem 2.7. The parameter synthesis problem is the following. Given a parametric timed 
automaton A and a configuration (g, x) of A, given a PTCTL formula /, compute a symbolic 
representation^ of the set of parameter valuations v on 9/ such that (q,x) \= v f. 

Example We consider the example given in the introduction with the parametric timed 

automaton A of Figure Q] and the two PTCTL formulae respectively equal to 

/ : V#iV# 2 • (8 2 <9i^ VD(<j -> VO< 2 1+ 2 a)) 

and 

g : V0i • (0! > 5 - VD(<r -> V0< 2ei+2 *)). 



We verify the existence of a run starting in (q, x) to ensure that time can progress in A" from that 
configuration. 

^For instance this representation could be given in a decidable logical formalism. 
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Then = {61,62}, 6/ = and Q g = {O2}. The model-checking problem "does (qo,0) \= f 
hold" has a yes answer. The parameter synthesis problem "for which parameter valuations 
v on <dg does (qo,0) \= v g hold" receives the answer 82 < 4. 

2.4. Comments. We end Section[2]by some comments on the definitions and the problems 
presented above. 

(1) We consider timed automata with only one parametric clock for the following reason. 
In [2], the authors investigate the following emptiness problem, which is a particular 
case of Problem 12.61 : are there concrete values for the parameters so that a parametric 
timed automaton has an accepting run? They show that the emptiness problem is de- 
cidable when there is one parametric clock, that this problem is open for two parametric 
clocks, and that it becomes undecidable for three parametric clocks. They illustrate the 
hardness of the two-clock emptiness problem by presenting connections with difficult 
open problems in logic and automata theory. 

Both discrete time and dense time are considered in [2] (see for further results), 
whereas we only deal with discrete time in this paper. 

(2) To solve Problem 12.61 we use the same approach as in our paper [5] where we propose a 
simple proof of the model-checking problem for PTCTL over timed-automata without 
parameters. We prove in [5] that the durations of runs starting from a region and 
ending in another region can be defined by a formula of Presburger arithmetic. It 
follows that the model-checking problem can be reduced to checking whether some 
sentence of Presburger arithmetic is true or false. 

This approach is different from the one used in p] when there is no parameter at 
all. We recall that in pQ, an extra clock is added to the timed automaton and the 
model-checking is solved thanks to a labeling (like for CTL) of the region graph of the 
augmented automaton. We have not investigated this kind of approach here, because 
the additional clock would be parametric, leading to two parametric clocks inside the 
automaton. 

(3) Linear terms a are present in the definition of parametric timed automata (inside the 
guards and the invariants) as well as in the definition given for PTCTL. More generally 
full Presburger arithmetic is present in PTCTL. Alternative restricted definitions could 
be 

• for parametric timed automata : guards and invariants are restricted to conjunctions 
of x ~ 8, x ~ c (instead of any conjunction of x ~ a); 

• for PTCTL : the restricted grammar 

ip ::= a \ -up \ ip V ip \ 3Q) tp \ ipBU^eP I <£>3U^ C </? | ipVU^ip \ ipV\J^ c ip 

is used instead of the grammar proposed in Definition 12.41 
In this way, the constraints over the parameters are restricted to comparisons with a 
parameter or with a constant, instead of comparisons with a linear term over parameters. 

However we observe in Remark 13.51 below that the undecidability result about the 
model-checking problem is the same when using Definitions 12.21 and 12.41 or with the 
above restricted definitions. 
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3. Decision Problems 

In this section, we prove that the model-checking problem is undecidable. The un- 
decidability comes from the use of equality in the operators 3\J^ a and VU^ Q . Then for 
a fragment F-PTCTL of PTCTL where equality is forbidden, we prove that the model- 
checking problem becomes decidable. In this case, we also positively solve the parameter 
synthesis problem. Our proofs use Presburger arithmetic and its extension with integer 
divisibility. 

Let us introduce the precise definition of the fragment F-PTCTL^] 

Definition 3.1. Notation F-PTCTL is used to denote the fragment of PTCTL where the 
equality is forbidden in the operators 3U^ a and VU^q, and the inequalities > , > are forbid- 
den in VU^ a . More precisely, a F-PTCTL formula / is of the form / = Q\9\ ■ ■ ■ Qk&k V 
such that ip is given by the grammar 

<p ::= a \ a ~ f3 | —up \ ip V (p \ 3Q (p 

| (p3V <a ip | Lp3\J< a (p | <p3\J >a (p | <p3\J> a ip 
I vVTJ^y? | ip\/\J< a tp | (pVU(p 

3.1. Undecidability for PTCTL. We prove here that Problem 12.61 is undecidable for 
PTCTL. The proof relies on the undecidability of Presburger arithmetic with divisibility. 

Presburger arithmetic with divisibility is an extension of Presburger arithmetic with 
integer divisibility relation. The additional divisibility relation is denoted by z\z' and means 
il z divides z'" . Every formula of Presburger arithmetic with divisibility can be put into 
normal form: 

QziQz 2 . . . Qz n (-.)</>! * {-)(j)2 *■■■* {~<)4>m (3.1) 

where * belongs to {V, A}, (->) means that negation is optional and each fa is one of the 
following atomic formulae: (i) z = a, (ii) z > a, (Hi) z\z' such that a is a linear term and 
z' > 0. While Presburger arithmetic has a decidable theory, Presburger arithmetic with 
divisibility is undecidable 

Theorem 3.2. For any sentence <1> of Presburger arithmetic with divisibility, we can con- 
struct a parametric timed automaton A, a configuration (q, xq) and a PTCTL formula f 
such that $ is true iff the answer to the model- checking problem (q,xo) \= f for A is YES. 

Proof. Let us make the assumption that the sentence $ is in normal form (]3.ip . We are 
going to construct a PTCTL formula / and a parametric timed automaton A. The set 
of parameters is equal to the set of all the variables used in <F 

For each sub formula 4>i of the form z = a or z > a, we define the PTCTL formula 
4>i equal to 4>[. For each subformula <f>\ of the form z\z' , we construct the next parametric 
timed automaton A^ and PTCTL formula <pi . The automaton A^ ; is given in Figure [2j We 
label the unique initial state ii of this automaton by a[ and the unique final fi state by 
o \. It is easy to see that there is a run p from the initial configuration (i;,0) to the final 
configuration (fi, z) with duration D p iff z\D p . For formula ipi, we take a[ A 3() =z ia l 2 . 

^In the preliminary version [6] of this paper, we considered a fragment of PTCTL that is larger than 
F-PTCTL. The grammar of the proposed fragment was equal to the grammar proposed in Definition 13.11 
extended with </pVU> q < ( 9 and ipVU> a ip. We have found a mistake in the proof of the decidability of the 
model-checking for this fragment. 
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x=z {xj 



Figure 2: Automaton for z\z' 

Now we construct formula / as follows 

/ : QziQz 2 ■ ■ ■ Qz n (-.)0i * (-1)^2 (->)0 m . 

We construct the automaton A by first taking the union of all the previous automata 
(introduced for the divisibility subformulae) . We then merge their initial states into a 
unique state of A that we call q. The label L(q) of q is the union of the labels a[. Finally, 
we add a new state q' to A and an edge (fi,0, T, 0, q') from any final state /; of A^ to state 
q' labeled with r = and without any guard and reset. To complete the construction, we 
add a self-loop (q', 1, T, 0, q') on q' that allows time to progress. 

It is easy to see that given A, we have (q, 0) |= / iff $ is true. □ 

As a direct consequence of Theorem 13. 2\ we have: 

Corollary 3.3. The model- checking problem for PTCTL is undecidable. 

Remark 3.4. In the previous proof, all the proposed PTCTL formulae (pi only use the 
subscript = in the operators 3V^g and VU^g. It follows that the model-checking problem 
is already undecidable with the grammar 

(p ::= cr | a ~ /3 | -up \ <p V cp | 30 V 9 I p3U =a <p | <pVU= a <p 

instead of the grammar given in Definition 12.41 

Remark 3.5. Given a sentence $ of Presburger arithmetic with divisibility, we have shown in 
the proof of Theorem l3.2l how to construct a parametric timed automaton A, a configuration 
(q, xq) and a PTCTL formula / such that $ is true iff the answer to the model-checking 
problem (q, xq) \= f for A is yes. 

As mentioned in Section [2.41 (see Comment 3), we could consider alternative restricted 
definitions for parametric timed automata and PTCTL. We say that a parametric timed 
automaton is restricted and that a formula of PTCTL is restricted if they respect the 
restricted definitions given in Comment 3 of Section 12.41 

Let us show that given a sentence $ of Presburger arithmetic with divisibility, we 
can construct a restricted parametric timed automaton A, a configuration (g, xq) and a 
restricted formula / of PTCTL such that $ is true iff the answer to the model-checking 
problem (g, xq) \= f for A is yes. The proof is in the same vein as the previous one. The 
sentence $ is supposed to be in normal form like in (13. lh with each subformula (f>i of the 
form z = a, z > a, or z\z' . We first treat the case z = a (with hints on the construction 
with a = 29 + 2). Instead of defining <f>i equal to (pi as in the previous proof, we consider 
the restricted parametric timed automaton of Figure El and the restricted formula (pi equal 
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Figure 3: Automaton for z = 29 + 2 

to a[ A 3() =z a l 2 . The case z > a is treated similarly : for the example of z > 20 + 1, the 
automaton is the one of Figure [3] with an additional loop with label 1 on the rightmost 
location, and the formula is again equal to o\ A 3O =2 0" 2 . Finally the case z\z' is treated 
as in the previous proof since the automaton and the formula that were proposed are both 
restricted. 

It follows that the model-checking problem with the restricted definitions of parametric 
timed automata and logic PTCTL is still undecidable. Notice that again all the proposed 
restricted formulae <pi only use the equality in the operators 3U^# and VU^g. 

3.2. Decidability for F-PTCTL. In this section, we provide solutions to the model- 
checking problem and the parameter synthesis problem for F-PTCTL. Our approach is 
as follows. Given a state q and a formula <p of QF- F-PTCTlQ, we construct a Presburger 
formula Ag itfi (x, 0) with x and all 9 £ as free variables such that 

(q,x ) \= v ip iff A q ^(x ,v(Q)) is true 

for any valuation v on O and any value xq of the clock (see Theorem I3.8|) . Solutions to 
Problems 12.61 and 12.71 will be obtained as a corollary (see Corollaries 13.111 and 13. 12j) . For 
instance, the decidability of the model-checking problem will derive from the decidability of 
Presburger arithmetic. Indeed, if we denote by QQ ip a F-PTCTL formula / with no free 
parameters, then to test if (q, xq) (= / is equivalent to test if the sentence QQ A q ^(xo,Q) 
is TRUE. 

Example Consider the parametric timed automaton of Figure [T] and the QF-F-PTCTL 
formula ip equal to VU (a — > V0<6» 3 c)- Then = {61,62, 9^}. Presburger formula Ag 0>tp (x, O) 
is here equal to 9\ + 62 + 2 < 63 with no reference to x since it is reset along the edge 
from qo to q\. Thus (q, xq) \= v (p for any clock value xq and any valuation v such that 
v{6\) + v(02) + 2 < v(9s). The model-checking problem (q, xq) (= WiV^^st^ has a yes 
answer for any xq because the sentence V#iV#23#3 {0\ + 62 + 2 < 6*3) is true in Presburger 
arithmetic. If clock x was not reset along the edge from qo to q±, then the formula A q0;ip (x, 0) 
would be equal to (#1 + #2 + 2 < #3) A (x < 9\) and the above model-checking problem 
would have a yes answer iff V#iV0 2 =l03 {9\ + 9 2 + 2 < 3 ) A (x < 9\), that is x = 0. 

As indicated by this example, the Presburger formula A gi p(x, 0) constructed from the 
QF-F-PTCTL formula <p is a boolean combination of terms of the form 9 ~ a or x ~ a 
where 9 is a parameter, x is the clock and a is a linear term over parameters. Formula 
A„ m{x, 0) must be seen as a syntactic translation of formula <p into Presburger arithmetic. 
The question "does (q, xq) \= f hold" with / = QQ ip is translated into the question "is the 



Notation QF- has been introduced after Definition 12.41 to mention that ip is a quantifier free formula. 



10 



V. BRUYERE AND J.-F. RASKIN 



Presburger sentence QQ Ag i¥ ,(xn,©) true". At this point only, semantic inconsistencies 
inside Q@ A q)lfi (xo, 0) are looked for to check if this sentence is true or not. 

Our proofs require to work with a set G of guards that is more general than in Notation 

Notation 3.6. Linear terms a, (3, . . . are any EjCj#j + c, with a, c £ Z (instead of N). Com- 
parison symbol ~ used in expressions like x ~ a and a ~ j3 belongs to the extended 
set {=,<,<,>,>, =a,< 5 =a,>}- For any constant a € N + , notation z = a ,< z' means 
z = z' mod a and z < z' . Equivalently, this means that there exists y £ N such that 
z + ay = z' . Notation z = a > z' means z = z' mod a and z > z'. 

Any x ~ a is called an x-atom, any a ~ /? is called a 9 -atom. An x- conjunction is any 
conjunction of x-atoms, and a 6-conjunction is any conjunction of 0-atoms. We denote by 
B-^e the set of boolean combinations of x-atoms and #-atoms. A guard is any element of 
B^e- Thus the set G of Notation 12.11 is now equal to the set B Xj e- 

From now on, it is supposed that the guards and the invariants appearing in parametric 
timed automata belong to the generalized set G = B Xi e- It should be noted that the 
extension of ~ to {=,<,<,>,>, = a ,<, =a,>} is only valid inside automata, and not inside 
PTCTL formulae. We shortly call automaton any parametric timed automaton A. 

The next lemma states that any B Xj e formula is a Presburger formula. It also states 
that this formula can be rewritten in a particular form that will be useful later. 

Lemma 3.7. Any B^e formula is a Presburger formula. It can be rewritten as a disjunction 
of conjunctions of x-atoms and 6-atoms with ~ limited to {=, <. >, = a ,<, =a,>}- 

Proof. Operators = a ,< and = a ,> are easily rewritten in Presburger arithmetic. Even if 
linear terms a,/3,... contain constants in Z, any x ~ a and a ~ (3 can also be rewritten in 
Presburger arithmetic. This shows that any B Xi e formula is a Presburger formula. 

To rewrite a B^e formula as described in the lemma, it is first put into disjunctive 
normal form. Second negation is suppressed in any —>{z ~ z') as follows. This is done 
easily for ~ € {<, <, >, >}. Negation -1(2 = z') is replaced by z < z' V z > z'. Negation 
-1(2! = a ,< z') is equivalent to [z > z') V (Vo<6<a z + ^ =<*,< z ')- Similarly for ->{z = a ,> %')■ 
Third all inequalities z < z' and z > z' are replaced respectively by z < z' — 1 and z > z'+l. 
Finally this formula is put into disjunctive normal form. □ 

Let us now state our main result. 

Theorem 3.8. Let A be an automaton and q be a state of A. Let if be a QF-F-PTCTL. 

Then there exists a B Xi e formula A 9j „(x, O) with x and all 9 £ O as free variables such that 

(q,x )\= v <p iff A.q it p(xo, v(&)) is true 

for any valuation v on Q and any clock value xq. The construction of formula A g>¥ , is 
effective. 

The proof of Theorem 13.81 is by induction on the way formula <p is constructed. Before 
detailing its proof, we roughly give the main ideas. First, suppose for instance that along a 
run p = (%,Xj)j>o of A v showing that (qo,xo) \= v <p, some configuration, say (qj,Xj), needs 
to satisfy (qj,Xj) \= v ip with ip a sub formula of (p. The automaton A is modified into A' such 
that the invariant \{qj) is augmented^ by the B Xj e formula A qj ^ constructed by induction. 



Such kind of invariant is allowed in Notation 13.61 
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Along the run p seen in the modified automaton A', the satisfaction relation (qj,Xj) \= v ip 
holds automatically thanks to the augmented invariant of qj. Second, what we also need is a 
B x> q formula that expresses the existence of an infinite run starting at a given configuration 
(for operator 3D for instance) and another one that expresses the existence of a finite run 
p starting and ending at given configurations such that D p ~ v(a) (for operator 3U^ a for 
instance). This is possible by the next two propositions. Their proofs are postponed till 
Section |H 

Proposition 3.9. Let A be an automaton and q be a state. Then there exists a B Xi e formula 
Run,j(x,0) such that for any valuation v and any clock value xq, 

Run 9 (xo,t>(6)) is true 

iff there exists an infinite run in A v starting with (q,xo). The construction o/Run g (x,0) 
is effective. 

Proposition 3.10. Let A be an automaton and q,q' be two states. Let ~ € {<,<,>,>} 
and a be a linear term. Then there exists a B X ,B formula Duration^, (x, 0) such that for 
any valuation v and any clock value xq, 

Duration^, (xo, f(0)) is true 

iff there exists a finite run p = (q,Xo) ~» (q', ■) in A v with D p ~ v(a). The construction of 
Duration^/ (x, 0) is effective. 

For the proof of Theorem 13.81 instead of the grammar given in Definition 13.11 we prefer 
to work with the grammar 

if ::= a \ a ~ (3 \ -192 (p V <p \ 3Q tp 

I tp3\J <a tp I (p3\]< a <p I (p3U >a <p I (p3V>a<p 

I 3\D <a (p I 3U(p 

This grammar is equivalent because formula ipVU^aip with ~€ {<, <} can be replaced by 
-.[(3CL a -.V) V (^ip3\J^ a {-n(p A -ti/}))], formula ipVUip by -.[(3D-^») V (-v/;3\J (ptp A -vip))], 
and formula 3\3< a ip by 3d <a+ np. 

It is not difficult to check that the semantics of the new operator 30 <a ip is given by 

(q,x) \= v 3\3 <a ip iff there exists a run p = (qi,Xi)i>o of A v with 
(q,x) = (qo,xo), there exists j > such that D p (qj,Xj) > v(a) and 
(qi,Xi) \= v tp for all i < j. 

Proof, (of Theorem I3.8p . The proof is by induction on <p. 

• If (f = a, then (q, xo) \= v <p iff there exists an infinite run starting with (g, Xq) and 
a € L(g). Therefore 

A^(x,0) = J_ ifa^L(g) 
= Run g (x,0) otherwise. 

• Similarly, if ip = a ~ (3 with ~ G {=, <,<,>, >}, then 

A g ^(x,0) = (a ~ 0) ARun 9 (x,0). 

• If (p = if) V <j>, then Ag jV> = A q ^ V A g ^. 

• If (p = -itp, then A q>tp = ->A q ^. 
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• Let us treat ip = 3Q ip. Recall that (q,xo) \= v 30 ^ iff there exists a transition 
(g, xq) — > {q 1 1 x'q) such that (q f , x' ) \= v ip and (g', x' ) is the first configuration of an infinite 
run p' . Let (g, t, 5, r, q') be the edge of E that has lead to the transition (q, xq) — » (</, Xq). 
Then (see Definition 12, 3p . Xq = if r = {x}, and x' = xq + r if r = 0. By induction 
hypothesis, A q '^ has been constructed such that A ? / ,^(xq, «(©)) is true iff (g', x' ) \= v ip. 
The automaton A is modified into an automaton A as follows. A cop>0 q' of q 1 is added 
to Q such that L(g') = L(g'), l(g') = \(q') A A q i^(x, 0). A copy (q' ,t' , g' ,r' ,p) is also 
added for each edge (q',T',r',g',p) leaving g'. By Proposition 13.91 applied to A and q' , 
we get a B^g formula Run^/ such that Rung'(x' ,v(Q)) is true iff there exists an infinite 
run in A starting with (q',x' Q ). By construction of q', equivalently there exists an infinite 
run in A" starting with (q',x' Q ) and such that (q',x' Q ) \= v ip. Hence, the expected formula 
Aq tV (x,&) is equal to 

A^(x,0) = V^M^OesCWARun^^e)) 

v V( 9 ,r )S ,0, g ')eB ('(?) A Run r (x + r, 9)). 

• The construction of formula A q>t p for ip = 3Uip is in the same vein as the previous one. 
Recall that (g, xq) \= v ip iff there is an infinite run in A v with first configuration (q, xq) 
such that all its configurations satisfy ip. The automaton A is here modified into A as 
follows. For any state p G Q, \{p) is replaced by A A p ^(x,0). By Proposition 13.91 
applied to A, we get a formula Run^ such that Run g (xo, v(Q)) is true iff there exists 
an infinite run in A^ starting with (q,xo) and such that all its configurations satisfy ip. 
Therefore formula A q>t p(x, Q) is equal to 

Run g (x, 0). 

• Let us turn to formula ip = ip3\J^ a (j) with ~€ {<,<,>,>}• We have (q,xo) \= v (p iff 
either (1) (g, xo) \=v <f>, ~ v(a) and (g, xo) is the first configuration of an infinite run, 
or (2) there exists a finite run p = (g, xo) ~^ (g', x' ) such that D p ~ v(a), ip is satisfied at 
every configuration of p distinct from (q',x' ), p is satisfied at (q',x' ) and (q',x' ) is the 
first configuration of an infinite run. For any state p £ Q, formulae A p ^ and A P)9 j have 
been constructed by induction hypothesis. So, in case (1), with the same construction of 
A as done before for operator E0 (with q, <p instead of g', ip), we have the next formula 

(0 ~ a) A Run^(x, 0). 

Case (2) is more involved. The automaton A is first modified into A as for operator EQ 
(with q', <p instead of q',ip) to get formula Run^/ such that Run^Xg, v(Q)) is true iff 
there exists an infinite run in A v starting with (g', Xq) and such that (q',x' ) \= v <p. The 
automaton A is then modified in another automaton A in the following way. A copy q' 
of q' is added to Q as well as a copy of each edge of E entering q' as entering q'; we 
define L(g') = L(g') and l(g') = l(g') ARun^ (x, 6)0 For any state p of Q, l(p) is replaced 
by \(p) A A p ^(x,0). Thanks to Proposition 13.101 applied to A, we obtain a formula 
Duration^/ (x, 0) expressing the following: Duration~5(xo, u(0)) is true iff there exists 

in A v a finite run p = (g,xo) ~» {q',x'^) with D p ~ v(a). Equivalently there exists in 
A^ a finite run p = (g,xo) (q',x' ) with D p ~ v{a) such that ip is satisfied at every 

^The copy q' of q is needed to focus on the first configuration (q',x'o) of p' . 

l^The copy q' of q' is needed to focus on the last configuration (q',x' ) of p; the augmented invariant is 
needed to express that <f> is satisfied at (q' ,x' ) and (q' ,x' ) is the first configuration of an infinite run. 
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configuration of p distinct from (q',x' Q ), (ft is satisfied at (q',x' ) and (q',x' Q ) is the first 
configuration of an infinite run. For case (2), the expected formula is thus the disjunction 

Y Duration^/ (x, Q). 

Therefore, putting together cases (1) and (2), formula A 9)¥ , is the disjunction 

((0 ~ a) A Rung(x, G)) V V Duration^*, (x, 6). 

g'eQ 

• Finally, let ip be 3\3 <a ip. Then (q, xq) \= v p iff there exists a finite run p = (q,xo) 
(q',x') such that D p > v(a), (p,x) \= v ip for each configuration (p, x) of p distinct from 
(q', x') and ((/', x') is the first configuration of an infinite run. As done just before in case 
(2), A is modified into A except that we use Run 9 ' instead of Run^ in the definition of 
\(q'). By Proposition 13.101 formula A 9)¥ , is equal to 

V Duration^, (x, 0). 

q'eQ 

The proof is completed since all the proposed formulae belong to B Xj e and their construction 
is effective. □ 

Solutions to the model-checking problem and the parameter synthesis problem are ob- 
tained as a corollary of Theorem [ 



Corollary 3.11. The model- checking problem for F-PTCTL is decidable. 
Proof. Let QQ p be a F-PTCTL formula / with no free parameters. By Theorem! 

(q, xo) h / iff Q® A gjV ,(x , @) is TRUE. 

By Lemma 13.71 formula QQ A qtV (xQ, B) is a Presburger formula. As Presburger arithmetic 
has a decidable theory and QQ A. q)lfi (xo,Q) is a Presburger sentence, the model-checking 
problem is decidable. □ 

The next corollary is straightforward. It states that the parameter synthesis problem 
is solvable. 

Corollary 3.12. Let A be an automaton and (q, xq) a configuration of A. Let {0\, . . . , 9k} C 
with k > and let f = Q±8i ■ ■ ■ Qk®k p be a F-PTCTL formula. Then the Presburger 
formula Q\6i ■ ■ ■ Qk^k A gj(/p (xo, Q) with free variables inQj is an effective characterization 
of the set of valuations v on Qf such that (q,xo) \= v f. □ 

Corollary 13.121 has important consequences that we want to detail now. Let us denote 
by V(A,f, q,xo) the set of valuations v on Qf such that (q,xo) \= v f. Let Qf be equal to 
{9[, . . . , 9',}. Presburger arithmetic has an effective quantifier elimination, by adding to the 
operations + and < all the congruences = moda, a € N + . It follows the characterization 
of V(A, f, q, xq) given above in Corollary 13.121 by 

Qx9i ■ ■ ■ Q k 9 k A q>tp (x,Q) 

can be effectively rewritten without any quantifier. On the other hand, since Presburger 
arithmetic has a decidable theory, any question formulated in this logic about V(A, f, q, xo) 
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is decidable. For instance, the question "Is the set V(A, /, q, xq) non empty" is decidable as 
it is formulated in Presburger arithmetic by 

The question "Does the set V(A, /, q, xq) contain all the valuations on G/" is also decidable 
as it can be formulated as 

ve[ ••• v0,'Qi0i ••• Q k e k A, i¥ ,(x,e). 

The question "Is the set V(A,f, q, xq) finite" is translated into 

3zW 1 ••• V0|Qi0i •■■ Q k 6 k (A q>tp (x,e) Ai^<«). 

And so on. 

4. Durations 

The aim of this section is to prove Propositions 13.91 and 13.101 This is achieved thanks 
to a precise description of the possible durations of finite runs in an automaton. Several 
steps are necessary for this purpose. 

In the first subsection, we show that we can work with automata put in some nor- 
mal form. This normalization allows a simplified presentation of the proofs of the next 
subsections. 

In Subsections 14.21 and 14.31 we restrict to reset-free normalized automata, that is au- 
tomata in which there is no reset of the clock. For this family of automata, we study the 
runs of the form (i,xo) (/, •) such that i € I, f E F with /, F being two fixed subsets 
of states, and xq is a fixed clock value. In Subsection 14.21 a sequence of transformations 
is performed on the automata such that the x-atoms used in the automata are limited 
to equalities x = a. These simplifications lead in Subsection 14.31 to the description by a 
Presburger formula of the durations D p of runs p = (i,xo) (/, •), i E I, f E F. 

In the last subsection, we remove the reset-free restriction imposed to the automata and 
we study in details the durations D p of runs p = (q, xq) ~^ (q', •) between two fixed states q 
and q' . Any such run p can be decomposed into a sequence of runs pj, 1 < j < k, according 
to the reset of the clock, that is the clock is reset at the beginning and the end of pj but 
not inside of pj. The duration D p of p is thus the sum of the durations D p . , 1 < j < k. 
Any Dp. falls into durations being studied in Section 14.31 Thanks to this description of 
any duration D p in terms of durations in reset-free automata, we are finally able to prove 
Propositions 13.91 and 13.101 

In Subsections l4.11 l 4.2l and r4.31 we are going to perform a sequence of transformations on 
the automata A that will preserve the set of runs in A" for any valuation v, in the following 
sense. During a transformation, state q will possibly be splitted into several copies qj. Runs 
before and after the splitting can be supposed identical up to a renaming of any q^ into 



Such an identification of runs is already present in the proof of Theorem 13.81 
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4.1. Normalized Automata. In this subsection, the automata are put in some normal 
form. The aim of this normalization is a simplified presentation of the proofs in the rest of 
the paper. 

Definition 4.1. An automaton A is normalized if 

• The guards labeling the edges and used in the invariants are limited to conjunctions of 
x-atoms and 0-atoms with ~ G {=, <, >, = a ,<, =a,>}, 

• for any state q G Q, the edges (p,r, g,r,q) entering q are all labeled by the same g and 
the same r (however r can vary). 

Proposition 4.2. Any automaton A can be effectively normalized such that the set of runs 
in A" is preserved for any valuation v. 

Proof. Let g G B Xj e be a guard. By Lemma 13.71 it can be rewritten as a disjunction of 
k formulae 6j, 1 < j < k, where each Sj is a conjunction of x-atoms and #-atoms with 
~ G {=,<,>, =o,<! =a,>}- If 9 labels the edge (q,T,g,r,q') of A, then we modify A by 
splitting this edge into k edges (q,T,5j,r,q'), 1 < j < k. If g = 1(g) for some state g, we 
modify A by splitting q into k states (L-, 1 < j < k, such that L(g^) = L(g), 1(g ) = Sj and we 
accordingly split any edge that enters or leaves state q. The first condition of Definition 14.11 
is therefore satisfied. 

For the second condition, the construction is similar. Suppose that there are several 
edges (p, r, g, r, q) entering state q with distinct couples (g, r). Then q is splitted into several 
copies (one copy for one couple (g,r)) and all the edges entering q are redirected to each 
copy, according to the couples (g,r). The copies of q have the same L(g) and 1(g) as q. □ 

4.2. Transformations of Reset-free Automata. In all this subsection, we assume the 
next hypothesis. 

Hypothesis (*) We assume that A = (Q, I, F, E, L, I) is a reset-free normalized automaton 
with a set I C Q of initial states and a set F C Q of final states. We also assume such that 
I H F = 0, no edge enters i € I and no edge leaves / G F. 

Remark As A is normalized and reset-free, given a state g, all edges (p, r, g, r, q) entering 
q have the same guard g and satisfy r = 0. It follows that we can move guard g from 
these edges to the invariant 1(g) of g. Indeed g is simply erased from all the edges entering 
q and added as a conjunction to 1(g). By this construction, the set E of edges of A can be 
rewritten as a subset of Q x {0, 1} x Q, instead of Q x {0, 1} x G x x Q (see Definitions 12.21 
andCd. 

On the other hand, as A is normalized, the invariant 1(g) of any state g is a conjunction 
of x-atoms and #-atoms. We can view 1(g) as a set of x-atoms and 0-atoms (instead of a 
conjunction) and we will often say that an x-atom or a #-atom belongs to g (instead of 1(g)) 
or appears in g. 

Given a valuation v and a clock value xo, we denote by 

R(AVo) 

the set of runs of A" of the form (i,xo) ~~> (/, •) for some i G I and / G F. We are going 
to perform a sequence of transformations on A that will preserve R(A 1 ',xo). The aim of 
these transformations is to simplify the form of the invariants used in the automaton. The 
invariant 1(g) of any state g G Q \ (I U F) will be a conjunction of at most one x-atom (of 
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Figure 4: A reset-free normalized automaton which is simplified 

the form x = a) and one ^-conjunction. This simplification will be possible mainly because 
the automaton is reset-free (see Proposition I4.4p . 

Definition 4.3. A reset-free normalized automaton A is simplified if 

• for all q G Q, the invariant \(q) is equal to 

Ul) Ale(g) 

such that \ x (q) is an x-conjunction and \e(q) is a ^-conjunction. Among the x-atoms 
x ~ a of la (?), at most one is an equality x = a. Moreover, if q £ I U F, then \ x (q) 
contains no other x-atom x ~ /3 with ~ G {<, >, =a,<i =a,>}, arid if g G I (resp. g G F), 
then the other x-atoms of \ x (q) are of the form x > (3 (resp. x < 0). 

• for any run p G R(A' ; ,xo), for any x-atom x = a, there exists at most one configuration 
(q',x') of p such that \ x (q') contains x = a. 

This definition is illustrated by the next very simple example. 

Example Consider the simplified automaton A of Figure S] with one initial state i and one 
final state /. The invariant of state p has no component \ x (p) and its ^-conjunction \g{p) 
is limited to the #-atom 6\ > 62. The other states of the automaton has no ^-conjunction. 
They can have at most one x-atom which is an equality, like state q containing the equality 
x = 9%. The initial state i can have x-atoms of the form x > a but it has no such x-atom 
in this example. The final state / has the x-atom x < #2- 

Proposition 4.4. Any reset-free normalized automaton A can be effectively simplified such 
that the set R(A 1 ',xo) is preserved for any valuation v and any clock value Xq. 

Proof. The proof of Proposition 14.41 needs several steps. The transformations described 
in the proof are based on standard constructions of automata theory. Each of them will 
preserve R(A 1 ',xo) for any valuation v and any clock value xo- After each transformation, 
the resulting automaton will be again denoted by A. 

In the first step, we are going to suppress in each \ x (q), for q G Q, all x-atoms of the 
form x = a ,< ot. 

First step, x-atoms x = a ,< 01. 

Let us show that any x-atom x = a ,< ct belonging to some state q can be suppressed at 
the cost of a new x-atom x < a. The idea is the following. If a = b mod a for a certain 
b G {0, 1, . . . ,a- ljB, then 

x =a,< a iff x = b mod a and x < a. 



12 As a is a linear term over the parameters, the value b such that a = b mod a is not known whenever 
the parameter valuation v is not fixed. 
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The automaton is transformed in a way to compute modulo a. New states are of the 
form (</, c) with q G Q and c G {0, . . . , a — 1} expressing that x = c mod a. Formally we 
construct A b = (Q', I', F', L', I') where Q' = Q X {0, . . . , a - 1}, I' = I X {0, . . . , a - 1}, 
F' = Fx{0,...,a-l}, L'(g,c) = L(g) and ((q,c),r,(g',d)) G £" iff (g,r,g') G £ and 
d = c + t mod a. Function I' is defined as follows. For any (q, c) G Q', let \'(q, c) = \(q). If 
(q, c) contains x = a ,< a, suppress this state if c 7^ 6, replace x = a ,< ot by x < a if c = 6. If 
(g, c) G add the x-atom x = a ,> c and the #-atom a = a ,> b to recall that a = b mod a 
and x = c mod a initially. As a depends on the parameter valuation, value b such that 
a = b mod a is not known in advance. Therefore the final automaton is the disjoint union 
of the automata with b G {0, . . . , a — 1}. 

The suppression of x-atoms x = a ,> ot in each \ x (q) is performed similarly. In the next 
step, we are going to suppress x-atoms x > a. This will be possible everywhere except 
inside states q £ I. 

Second step, x-atoms x > a. 

Let us consider a fixed x-atom x > a. Recall that the automaton is reset-free. Along 
a run p G R(A 1 ',xo), as soon as x > a is satisfied at some configuration of p, the next 
occurrences of x > a are automatically satisfied and can be thus suppressed. The automaton 
is transformed in a way to count occurrences of x > a thanks to a counter c equal to (1 or 
2 resp.) in case of (1 or 2 and more resp.) occurrence(s) of x > a is (are) encountered 
Formally we construct A' = (Q', I', F', E', L', I') where Q' = Q x {0, 1, 2}, F' = F x {0, 1, 2}, 
\-'(q, c) = L(q) and \'(q, c) = 1(g) for all q G Q and c G {0, 1, 2}. Sets I' and £" are defined 
as follows. For any q G /, state (g, c) belongs to J' with c = 1 if x > a belongs to q, and 
c = otherwise. For any (q,T,q') G 2£, edge ((<?, c),t, (g',c')) belongs to E 1 ' with c' = c + 1 
if (/ contains x > a, and c' = c otherwise. Finally, we suppress x > a in any state (q, 2) 
containing it. 

Now, consider a run p' G R(A /t ', xo) equal to (qi, Xj)o<i< n such that some state {qt, Cfc) 
contains x > a. Necessarily, = 1 and q = for < i < k by construction of A'. So 
x-atom x > a is satisfied at configuration (qk, c&, x^ ) iff 

: (%) either x > a is satisfied at configuration (</o,co,xo), 

: (zi) or x = a is satisfied at some configuration (qi, Ci,X{) of p' such that < i < k. 
Therefore, x-atom x > a can be suppressed at the cost of a new x-atom x = a (see (m)), 
except inside the initial state (qo,co) (see (i)). This can be achieved by modifying A' into 
an automaton A" thanks to a construction which is not difficult but tedious, this will be 
not fully detailed. The automaton A" has three parts : 

• a first part of A" has to deal with paths of A' that only contain states (q, c) with c = 0, 

• a second part has to deal with paths of A' starting with (q, c) such that q G I, c = 1, 

• and a third part has to deal with paths of A' containing some state (q, c) such that q & I, 
c = 1; such paths are call special 

The first part of A" is obtained from A' by erasing all states (q,c) with c = 1. The second 
part is obtained from A' by erasing all states (q, c) such that q $ I, c = 1 and all states 
(q, c) such that q G J, c = 0. We now discuss the third part of A". The special paths of A' 
must be modified into two kinds of paths : either the x-atom x > a is added to the initial 
state of the path (see (i)), or the x-atom x = a is added to some intermediate state of the 
path, which is situated between the initial state (not included) and state (g, c) (included) 



'Thus when the counter c has value 2, any incrementation c + 1 lets it at value 2. 
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(see (ii)). In both cases, the x-atom x > a must be deleted from (q,c). The third part of 
A", first case, is obtained from A' by adding the x-atom x > a to any state (g, c) such that 
q G /, c = and by deleting the x-atom x > a from any state (g, c) such that q £ I, c = 1; 
it is also necessary to use a marker to verify that each accepting path of A" corresponds 
to a special path of A'. The third part of A", second case, is obtained from A' as follows 
: the x-atom x > a is deleted from any state (q,c) such that q ^ I, c = 1, all states (q, c) 
with q $ I, c = are duplicated (together with the edges entering and leaving (g, c)) such 
that the x-atom x = a is added to one of the two copies of (q, c); it is also necessary to use 
a marker to verify that each accepting path of A" corresponds to a special path of A' and 
passes through exactly one state containing the x-atom x = a. 

The suppression of x-atoms x < a can be performed in a similar way. Note that 
here, as soon as the last (instead of the first) occurrence of x < a is satisfied along a run 
p G R(A V ,xo), then the previous occurrences of x < a are automatically satisfied. It follows 
that x-atoms x < a can be suppressed everywhere except inside states q G F. 

At this point of the proof, for each state q, (1) if q G" IL)F, then the x-atoms contained 
in q are of the form x = a, (2) if q G /, then they are of the form x = a or x > a, and (3) if 
q E F, then they are the form x = a or x < a. It remains to prove two facts about x-atoms 
which are equalities. First for all q G Q, among the x-atoms contained in g, at most one is 
an equality x = a. Second, for any run p G R(A u ,xo), for any x-atom x = a, there exists 
at most one configuration (q',x') of /) such that \ x (q') contains x = a. 



Third step, x-atoms x = a. 

The first fact can be easily proved. Suppose that \ x (q) 
of linear terms. Let a' G A Then ^(g) is equivalent to 



A 



X 



a) for some set A 



a') A /\ 



o 



a). 



aeA 



Thus l a .(g) can be replaced by x = a' and l#(g) by l#(g) A /\ ae ^(a' = a). 

Let us prove the second fact. Let p be a run in R(A 1 ',xo). Assume that there are in p 
several configurations (qj,Xj), 1 < j < k such that qj contains a given x-atom x = a. It 
follows that time does not progress from (gi,xi) to (gfc,Xfc), that is, Xj = xi for all j. Only 
the first occurrence of gi is useful, the next ones can be forgotten. Therefore, 

A is transformed in a way to count occurrences of x = a and to remember any progress of 
time. As done before, a counter c has value (1 or 2 resp.) in case of (1 or 2 and more resp.) 
occurrences of x = a. Moreover, values 1 and 2 are indexed by + if time has progressed 
since the first occurrence of x = a. Formally we construct A' = (Q' , I' , F' , E' , L', I') where 
Q' = Qx {0, 1,1+, 2, 2+}, F' = F x {0, 1,1+, 2, 2+}, L'(g,c) = L(g) and l'(g,c) = 1(g) for all 
q G Q and c G {0, 1, 1+, 2, 2+}. For any g G /, state (g, c) belongs to I' with c = 1 if x = a 
belongs to g, and c = otherwise. For any (g,r, g') G E, edge ((g,c),r, (g',c')) belongs to 
i?' where c' is computed according Table Q3 Finally, for any state (g, c) containing x = a, 
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if q contains x = a 



otherwise 



Table 1: Computation of d 
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we suppress this state if c = 2+, we suppress x = a from this state if c = 2. Indeed recall 
that counter 2 indicates that it is at least the second occurrence of x = a, and the presence 
of index + means a progress of time since the first occurrence of x = a. □ 

4.3. Durations in Reset-free Automata. In this subsection, we again make Hypothesis 
(*). By Proposition 14.41 we know that the reset-free normalized automaton A can be 
supposed simplified. Thanks to this property of A, we are going to construct a Presburger 
formula describing all the possible durations of runs in F^A", xq) in terms of the parameters. 
We need the next notation. 

Notation 4.5. Let t be a variable used to denote a duration and x be a variable for a clock 
value. We call t-atom any t~a or t~a — x, with a a linear term. A t-atom is of first 
type if it is of the form 

t = a, 
t =a,> a, 
t = a — x, 
t = a ,> a - x. 

It is of second type if it is of the form 

t < a — x. 

A t-conjunction is a conjunction of t-atoms of second type. 

Proposition 4.6. Let A be a reset-free normalized automaton. There exists a Presburger 
formula X(t,x,Q) such that for any valuation v and any clock value xq, there exists a run 
in R(A^,xo) with duration to iff 

X(to,x ,v(Q)) is TRUE. 
This formula is a disjunction of formulae of the form 

X t A A< A X x A X e , 

where Xt is a first type t-atom , A< is a t-conjunction, X x is an x-conjunction and Xq is a 
9 -conjunction. Its construction is effective. 

Let us explain this proposition on the next example. 

Example Consider the simplified automaton A of Figure [U We denote by to the duration 
of any run (i,xq) ~^ (/, ■) in R(A v ,xo), where v is a fixed parameter valuation. Every run 
has to pass through state q which contains the x-atom x = 9\. Let us study the possible 
durations t\ of runs p\ = (i, xq) ~~> (q, •). Each duration ti must be equal to v(9±) — xq. For 
runs pi using the cycle, constraint v(9i) > ^(#2) holds and ti has the form m + 3, m > 0. 
The unique run p\ not using the cycle is not constrained and its duration equals t\ = 2. 
Now any duration to can be decomposed as to = ti + 2n + 1 = v{9\) — Xq + 2n + 1, n > 0. 
Due to the x-atom x < 9<i of state /, we get another constraint xo + to < v(9<i). In summary, 
we have 

[(u(0i) - x =i,> 3 A v{9 l )>v{9 2 )) V u(0i)-x o = 2] 
A [t =2,> v{9x) - XQ + 1] 
A [x + t < v{9 2 )} 
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We get the next Presburger formula X(t, x, 0) 

[(x =i,< 0i-3 A 6 1 >6 2 ) V x = Q x - 2] 
A [i = 2 ,> 6>i + 1 - x] 
A [t < 9 2 - x] 

such that there exists a run in R(A , ',xo) with duration to iff X(to,xo,v(@)) is true. This 
formula is in the form of Proposition 14.61 when it is rewritten as a disjunction of conjunctions 
of i-atoms, x-atoms and 0-atomsF*l 

Thanks to the previous example, we can give some ideas of the proof of Proposition 14.61 
Except for the initial and final states, the states of a simplified automaton contain at most 
one x-atom which is of the form x = a. The proof will be by induction on these x-atoms. 
Given an x-atom x = a contained in some state q, any run p in R(A^,xo) passing through 
this state q can be decomposed as (i,xo) (q,Xi) and (q,x\) ~* (/, x 2 ), for some i € I 
and / 6 F. Its duration in can also be decomposed as t% + t 2 with the constraint that the 
clock value xo + t\ must satisfy x = a. It follows that to = v(a) — xq + 1 2 . The durations t\ 
and t 2 and the related constraints will be computed by induction. When there is no x-atom 
in the automaton (base case), only #-atoms can appear in states. Runs will therefore be 
partitioned according to the set of #-atoms that constrain them. Their durations will be 
described as fixed values or arithmetic progressions. 

Proof, (of Proposition l4.6p . By Proposition l4.4l the reset-free normalized A = (Q, I, F, E, L, I) 
is assumed to be simplified. 

(1) We can suppose that / is reduced to one initial state i and F to one final state /. At 
the end of the proof, it will remain to take a disjunction over i 6 I and / G F of the 
constructed formulae. From now on, we suppose that / = {i} and F = {/}. 

(2) Assumption. We make the assumption that i contains no x-atom and / contains no 
x-atom x < a. As A is simplified, this means that for any state q € Q, either \ x (q) = T 
or la; (g) equals some x = a. The proof is done by induction on the x-atoms x = a that 
appear as \ x (q) with q G Q. The formula X(t,x, G) that we will construct will have no 
t-conj unction, that is X(t, x, 0) will be a disjunction of formulae of the form At A X x A Ag. 

Base case. Suppose that \ x (q) = T for all q G Q, that is 1(g) = \g(q). Durations of runs 
in R(A^,xo) are thus independent on the clock values. They are simply equal to the 
number of edges labeled by r = 1 along runs from i to /. And to each of these runs is 
associated a constraint which is the conjunction of the (9-atoms contained in the states 
of the run. 

The proof is based on the classical Kleene theorem |10] using the particular alphabet 

B = {(r,0 \ t £{0,l},<; e{\ e (q),qeQ}}. 

To any edge (q, r, q') of A corresponds the letter (r, \g(q')) of B. The concatenation • of 
two letters (ti,$i) and (t 2 , is defined as {t\ +t 2 , si A<a)- Thus a word over B is equal 
to (t, s) where t is a positive integer (a duration) and ? is a ^-conjunction (a constraint on 
the parameters). In particular, the empty word is equal to (0, T). The star operation 
* is defined as usual and the plua[3 operation + is defined by L + = L* \ {(0,T)}. 
We denote by Rat#(-, + ) the smallest family of languages containing B and closed 

14 A t is equal to t =2,> 0i + 1 — x and A< is equal to t < 82 — x. 

l^This notation should not be confused with the one used for the union operation. 
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under • and + . The elements of a set L € Rat_B( - , + ) have a simple form. The second 
components of these elements are all identical because operation A is idempotent. The 
first components constitute a set which is the union of a finite set and a finite number of 
arithmetic progressions [7j. In other words L is described by a disjunction of formulae 
of the form At A Xg such that Xg equals a fixed 6>-conj unction ? and At equals either t = a 
or t = a ,> ol with a € N. 

Now by Kleene's theorem applied to A, we get a rational language over B whose first 
components describe the durations of all runs of R(A 1 ',xo) and the second components 
describe the related constraints. It is not difficult to prove that this rational language 
can be rewritten as a finite union of languages in Rat#(-, + ). We thus get the required 
formula X(t, x, 0) as a disjunction of formulae At A Xg where At is a first-type i-atom 
and Xg is a ^-conjunction. 

General case. Now consider a particular x-atom x = a. Let us denote by P the set of 
states q such that \ x (q) is equal to x = a. As A is simplified, any run p of R(A 1 ',xo) 
contains or 1 state of P (see the second part of Definition 14.31) . We are going to prove 
that the expected formula A(i, x,0) is equal to 

x Q \ p {t, x ,e) v y x p (t,x,e) 

PGP 

where A^^ describes durations of runs containing no state of P, and X p describes 
durations of runs containing one occurrence of the state p of P. 

All runs containing no state of P constitute the set R(A' v ,xq) of an automaton A' 
obtained from A by erasing all states in P. As A' has one x-atom less, X®\ p (t, x, 0) can 
be constructed by induction hypothesis. 

Let us now fix p G P and a run p £ R(A v ,xq) that contains it. This run is decomposed 
into a run p\ = (i, xq) (p, x\) with duration t\, and a run p2 = (p, x\) ~» (/, X2) with 
duration ti- Duration to of p is equal to t\ +£2 such that x\ = xo + ti, X2 = x\ +£2 and 
x\ satisfies x = a. Durations t\ and t% can be computed by induction in the following 
way. 

Let us begin with t\. The automaton A is modified into A^' 1 by erasing states of 
P \ {p} and edges leaving p. Invariant \ x (p) is replaced by T. The new unique final 
state is p. The new automaton has one x-atom less, so X p,1 (t, x, 0) can be constructed by 
induction hypothesis such that X p,1 (ti, xq, v(Q)) is true. Formula A p>1 is a disjunction 
of formulae Aj A A], A Ag where A| is a first type i-atom, A^ is an x-conjunction and Xg 
is a ^-conjunction. Suppose that X] is one among 

t = a\, i= aj >ai, t = a\ — x, t= a ^>a\-x. (4.1) 

As xi satisfies x = a and x\ = xq + 1±, then 

xi = v(a), t\ = v(a) — Xq. (4-2) 

So in (|4.ip . t can be replaced by a — x and (|4.ip becomes 

a — x = a%, a — x = a ,> ct\, a = a±, a = a ,> oc\. 

Thus A^ becomes an x-atom or a #-atom. The modified formula X\ A A^. A X\ is denoted 
by 

A^AA'i. (43) 
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Let us now describe t%. We modify A into A p ' 2 by erasing states of P \ {p} and 
edges entering p. Formula \ x (p) is replaced by T. The new unique initial state is p. By 
induction hypothesis, X p,2 (t, x, 6) is constructed as a disjunction of formulae A 2 A A 2 A A 2 , 
where A 2 is one among 

t = Q>2, t = a ,> «2, t = «2 — X, t= a: >a>2—X. (4.4) 

Recall that X p,2 (t, x,6) describes the duration £2 of runs P2 = (p,x\) ~* (/, X2) for 
which x\ satisfies x = a. Thus in (|4.4p . x can be replaced by a and (|4.4p becomes 

t = Ct2, t =a,> «2, t = Ct2 — a, t = a ,> "2 ~ Oi. 

This shows that X 2 is now of the form 

t = (3 or t= a> >p. (4.5) 

Moreover X 2 becomes a ^-conjunction when x is replaced by a. The modified formula 
X 2 A X 2 , is denoted by 

A^ 2 . (4.6) 

Finally, we can describe to = t\ + £2- By (|4.2p and (|4.5p . it has the form 

t = v(a) - x + v((3) or t = aj > v(a) - x + v(/3). (4.7) 

Hence formula A p (i, x, 0) for to is a disjunction of formulae A< A X x A A# such that Xt 
has the form (see (|4.7p ) t = a — x + /3ort = ,> a — a; + /3 and A^ A Ag has the form (see 
gjand gSJ) A^ 1 A A^ 1 A A^ 2 . 
(3) Under the assumption that i contains no a>atoms and / contains no x-atom x < a, we 
have constructed a formula A(i, x,Q) with no t-conj unction. So we have to take into 
account the x-conjunction \ x (i) and the x-atoms x < a appearing in /. Thus xq must 
satisfy \ x (i) and xq + to must satisfy all x < a in /. It follows that the final formula is 
equal to 

X(t, x, 8) A \ x (i)(x, 9) A /\ t<a-x. (4.8) 

x<a£f 

□ 

Remark 4.7. Suppose that A is an automaton such that l(i) equals x = for each initial 
state i £ I. Then formula A(t, x, G) of Proposition 14.61 contains the x-atom x = (see (|4.8p ). 
Hence, if A(to, xo, v(Q)) is true, then necessarily xo = 0, which can been interpreted as a 
reset of the clock. This remark will be used in the next subsection. 

4.4. Durations in General. This subsection is devoted to the proofs of Propositions 13.91 
and 13.101 Here there is no longer the restriction on the automaton given by Hypothesis (*): 
it is any automaton as in Definition 12.21 This automaton is supposed to be normalized by 
Proposition 14.21 Thus, given a state q, the edges (p, r, g, r, q) entering q all have the same 
r. We call q a reset-state in case r = {x}. The set of reset-states of A is denoted by Qr. 

Let A = (Q, E, L, I) be an automaton. Let us fix two states q, q', a parameter valuation 
v, a clock value xo- We denote by 

R M '(AVo) 

the set of runs p = (q,xo) ~^ (q', ■) in A". Let us study this set. 
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A run p in R, M '(A 1 ', xq) possibly contains some reset-states. It thus decomposes as a 
sequence of k > 1 runs pj, 1 < j < k, such that for any j, pj contains no reset-state, except 
possibly for the first and the last configurations of pj. The duration D Pj of each pj can be 
computed thanks to Proposition 14,61 For any j, 1 < j < k, let us denote by A J (i,x,0) the 
Presburger formula corresponding to D Pj which is a disjunction of formulae AtAA< AA^ AAg. 
So the total duration D p is equal to the sum £i<j<fcD Pj . We will see that the durations D p 
of runs p £ Rq jq i(A v ,xo) can be symbolically represented thanks to rational expressions on 
an alphabet whose letters are the formulae Aj A A< A X x A Xq that appear in the A- 7 (t, x, 0)'s. 
Thanks to this symbolic description and because our logic is the fragment F-PTCTL, we 
will be able to prove Propositions 13.91 and 13.101 It should be noted that the durations D p 
of runs p € R q o'(A M , xq) cannot be described by a Presburger formula as in Proposition 14.61 
otherwise the model-checking problem for PTCTL would be decidable (see Corollary I3.3[) . 

Let us now explain in details all these ideas. 

In a first step, we construct from A several reset-free normalized automata as in Hypoth- 
esis (*). The construction is a standard one in automata theory. Runs pj mentioned before 
will be runs in these automata and their durations will be described thanks to Proposition 
IP1 

First construction. For each couple (p,p ! ) of states of A such that p £ {q}UQn andp' G {g'}U 
Qr, we construct from A the following reset-free automaton A P)P > = (Q' , I', F' , E' , L', I'). The 
set Q' of states is (Q \ Qr) U {p,p'} where p,p' are copies of p,p'. The unique initial state 
is p and the unique final state is p' . Let L'(p) = L(p) and L'(p') = L(p'). Let \'(p) be equal 
to \(p) if p = g_and to (\(p) A x = 00 if p ^ q. Let \'(p') be equal to \(p') if p' Qr and to 
(\(p') A x = Ojlj if p' £ Qr- The set E' of edges is the union of E restricted to Q \ Qr with 
the next set of new edges 11 

(p,r,g,r,pi) ii (p,r,g,r,pi) G E 
(pi,T,g,0,p') if (pi>T, g, r,p') € E 
(p,T,g,0,p') if (p,r, g, r,p') G E. 

In this way, automaton A p y satisfies Hypothesis (*). 

Let p € {q} U Qr and p' € {q'} U Qr. We define x\ to be equal to xq if p = q, and to 
if p j^z q. The runs of R(Ap p ,,xi) are exactly the non-empty runs (p, x\) (p', •) of A" 
that pass through no reset-state (except possibly the first and the last states of the run). 
The durations of runs in R(/\p p ,,xi) are described by formula A p ' p (t, x,@) of Proposition 
14.61 This formula is a disjunction \J j \P>p'<j of formulae 

x p,p'J = x p,p',j A X Pf'J A X P, P ',j A X P g ,P',j _ (4 9) 

For each couple (p,p') and each j, we associate a distinct letter b PtP /j to each formula 
X P,p'j _ The set of all these letters is denoted by B. We say that letter b P)P 'j is a reset-letter 
if p is a reset-state. The set of reset-letters is denoted Br. 

In a second step, we construct another automaton from A in a way to show how a run 
of R (?j(? /(A 1 ', xo) is decomposed into a sequence of runs pj according to reset-states of A. This 
automaton will be a classical automaton [10] . 



The a;-atom x = imposes a reset of the clock at state p (see Remark 14. 7[) 
17 As A„ „, must satisfy Hypothesis (*), no reset can appears on the edges 



21 



V. BRUYERE AND J.-F. RASKIN 



Second construction. We construct an automaton B over the alphabet B as follows. The set 
of states equals Qr U {q, q'} and the set of edges equals {(p,b,p') \ b = b PiP ij for some j}. 
The unique initial (resp. final) state is q (resp. q 1 ). 

So, any run p of R M /(A 1 ', Xq) is map into a path in B from q to q' which indicates how p 
is decomposed according to reset-states of A. The duration of p is symbolically represented 
by the word that labels the corresponding path in B. Hence the set of durations of runs of 
R qq '(A v ,xo) is symbolically represented by the rational subset accepted by B. We denote 
by' 

Lq,q' 

this subset of B*. Any word of L q ^ q i has at most one letter that is non reset (the first letter 
of the word). 

We now study in details rational expressions over the alphabet B and in particular the 
rational expression defining L qq i. 

Rational expressions. Let L + be denoting L* \ {e} with e denoting the empty word and 
Rats(-, + ) be the smallest family closed under • and +, and containing B. One can prove 
that any rational language over B can be effectively rewritten as a finite union of languages 
in {e} U Rat#(-, + ). Therefore 

L q>q r = \jLi (4.10) 

i 

with 

Li = {e} or Li = {bi} or Li = b { - Ki 
such that b, L £ B,Ki £ R&tB R (-, + )■ The set R q:q '(A v , xq) is decomposed into 

fV(AVo)=|J R * ( 4n ) 

i 

according to (|4.10p . 

An non empty word of L q ^ q > is a sequence 6162 • • • b n G B + . The first letter b\ describes 
runs from state q to some reset-state pi, the clock value at q is xq. Each letter 6j, i > 2, 
is a reset-letter. If 2 < i < n, bi describes runs from reset-state pi-± to reset-state pi, the 
clock value at pi-\ is 0. If i = n, bi describes runs from reset-state p n -i to state q', the 
clock value at p n -\ is 0. Let 

K A A< A Aj, A Xg (4.12) 

be the formula associated to each letter 6j, i > 1 (see (|4.9p ). Whenever i > 2, A^. contains 
the x-atom x = by Remark 14.71 and Definition of automaton A p y . In this case, we prefeiEl 
to work with the equivalent formula 

k\ A k j < A 4 (4-!3) 

such that x has been replaced by in (|4.12l) (in particular, X x becomes a ^-conjunction). 
In this formula n\ is a t-atom of the form t = a or t = a ,> a, k< is a conjunction of t-atoms 
of the form t < a and Kg is a ^-conjunction. 



The sequence 6162 ■ • • b n symbolically represents certain runs of R qiq ' (A", xq). We are only interested in 
the initial clock value xo treated by formula X l x of 61. 
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The concatenation b\ ■ 62 b n is interpreted as follows. It is the sum t\ + 12 + • • • + t n 

of the durations ti, £2, ■ ■ ■ , t n respectively described by Xj, k|, . . . , k™. It is the conjunction 
of the related constraints 

(A< A k% A • • • A A* A (Ag Ak] A'" fi#). 

Formulae A<, K<, . . . K< impose upper bounds on ti, *2, . . . , t n . The rr-conj unction imposes 
constraints on the clock value xq. The ^-conjunction (Ag A ^ A • • ■ Kg) impose constraints 
on the parameters. 

In the next lemmas, we show that certain properties of runs in Rj can be expressed 
in Presburger arithmetics thanks to the symbolic representation Li of (see (|4.10p and 
(|4.1ip ). After these lemmas, we will be fully equipped to prove Propositions 13.91 and 13.10] 
Note that Proposition 13.101 can only be proved with ~ limited to {<,<,>,>}, otherwise 
the model-checking problem for PTCTL would be decidable. 

Lemma 4.8. One can construct a B Xi e formula NonEmpty^. (x, 9) such that for any valu- 
ation v and any clock value xq, NonEmpty^. (xq, v (9)) is true iff Rj is non empty. 

Proof. Runs of Rj have durations that are symbolically represented by the words of Lj. Let 
us construct formula NonEmpty^ by induction on the rational expression defining Li (see 
(|4.10p ). This formula will be equal to n x Ar]Q with ij x an x-conj unction imposing constraints 
on the clock and 770 a ^-conjunction imposing constraints on the parameters. 

Suppose Li = {e}, then NonEmpty Lj (x, 0) equals x = is q is a reset-state and 
\(q)(x,@) otherwise. Indeed, under these constraints, Rj is non empty since it contains the 
empty run with the null duration. Suppose that L, = {bi} with b, L £ B and associated 
formula X\ A A< A X l x A Xq. Recall that X\ is one among the t-atoms t = a, t = a — x, 
t =a,> a or t =a,> a — x and that A< is of the form f\a t < (3 — x. It follows that the non 
emptiness of Rj can be expressed thanks to the minimum duration t = a (t = a — x resp.) 
of runs in Rj. Then 

NonEmpty Li (x, 6) = (/\ a < (3 - x) A \ x A X e (4.14) 

& 

( = {/\a < p) A X x A X e resp.) 

P 

Suppose now that Li = bi ■ Ki with bi G B and Ki G Rats fi (-, + ). Let us first prove 
by induction on the rational expression defining Ki that NonEmpty^-. (0) equals some 9- 
conjunction r?6»El Let Ki = {bi} with bi G Br. We obtain a formula similar to (j4.14j) where 
x is replaced by (see (|4. 13ft ). so 

NonEmpty^(e) = (/\ a < ff) A n e . 

P 

Suppose that Ki = K ■ K' and formulae NonEmpty^, NonEmpty^/ have been con- 
structed by induction. Then NonEmpty^ (0) = NonEmpty^(Q) A NonEmpty^-/(0) be- 
cause the non emptiness of Rj requires the non emptiness of both K and K' . If Ki = K + , 
then NonEmpty^. (0) = NonEmpty^(0) because conjunction in an idempotent opera- 
tion. Finally for Lj = bi ■ Ki, we get NonEmpty^. (x, 0) = NonEmpty| b .j(x, 0) A t]q where 
NonEmpty| fe . j(x, 0) is formula (14.140 and f]g is the formula just constructed for Ki. □ 

l^There is no term r\ x since Ki C _B+, that is, x = (see (|4.13[l ). 
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Lemma 4.9. One can construct a B^e formula NonNullx i (a;, 9) such that for any valuation 
v and any clock value xq, NonNullz^xo, v(9)) is true iff Rj contains a run with a non null 
duration. 

Proof. The proof is in the same vein as for Lemma 14.81 with a similar form n x A rjg for 
NonNull Li (x,#). 

If Li = {e}, then clearly NonNull^. (x, 9) = _L. If Lj = {bi} with bi € B and associated 
formula \\ A A< A X x A X e . Let us study as before formulae X\ and A<, where A< = (\a{t < 
(3 — x). If X\ equals t = a, then t is non null iff a > 0. Then NonNull^x, 0) is the 
formula (a > 0) A (/\^ a < (3 — x) A X x A X l e . When X\ is t = a — x, we have a similar 
formula with t non null if a — x > 0. If X\ equals t = a ,> ce, then a possible non null 
value for t is either a if a > or a if a = 0. We get formula NonNull^ (x, 0) equal to 
((a > A A/?( a < - x)) V (a = A A/3( a < ~ x ))) A A -V A similar argument holds 
if X\ equals t = a ,> a — x. 

Let Li = bi ■ Ki, with bi € B and iQ € Rat b r (•>+)• Let us first construct formula 
NonNullxj(0) by induction on Kj. This formula will be a #-conj unction. If Ki = {b{\ with 
bi S -Br, we get a formula NonNull^ as for the case Li = {bi} such that x is replaced by 0. 

If Ki = K ■ K' , then there exists a non null duration in Ki iff there exists some 
duration in K and some other in K' and one of them is non null. Thus NonNull^. (0) 
equals (NonNulbx(0) A NonEmpty^,(0)) V (NonEmpty^(0) A NonNuhV(0)). If Ki = 
K + , then NonNull^ (0) = NonNull^(0). Finally, for Li = b { ■ K u we get the formula 
(NonNull {b . } (x, 0) A NonEmpty^ .(©)) V (NonEmpty {6i} (x, 0) A NonNull^(0)). □ 

Lemma 4.10. One can construct a B^e formula NonZenoi^x, 9) such that for any val- 
uation v and any clock value xq, NonZenoL a (xo, v(9)) is TRUE iff Rj contains runs with 
arbitrarily large durations. 

Proof. The proof is again similar. 

Suppose Li = {e}, then clearly NonZeno^(x, 0) = L. Let Li = {bi} with bi £ B and 
associated formula X\ AA< A A*. AX e . If X\ equals t = aort = a — x, then NonZeno^x, 0) = 
L. If X\ equals t = a ,> a or t = a ,> a — x, then t is arbitrarily large iff A< = T. In this case, 
NonZeno^ (x, 0) = X x A X\, otherwise NonZenoz^x, 0) = JL. 

Suppose now that L, L = bi ■ Ki. We begin to construct a ^-conjunction NonZeno^ (0) 
by induction on Ki. If Ki = {bi} with bi E Br, then the formula is as in the case Lj = 
{bi} with x replaced by 0. If Ki = K ■ K', then NonZeno^ (0) equals (NonZeno^(0) A 
NonEmpty^,(0)) V(NonEmpty^(0) ANonZeno/^(0)). If K { = K+ , then iQ has arbitrarily 
large durations iff K contains a non null duration, that is NonZeno/f. (0) = NonNullj^©). 
Thus we get for Li = bi - Ki the formula 

(NonZeno {fei} (x, 0) A NonEmpty K .(0)) V (NonEmpty {bj} (x, 0) A NonZeno^(0)). 

□ 

Lemma 4.11. One can construct a Presburger formula Min^i, x, 9) such that for any val- 
uation v and any clock value xq, Min^ (to, xo, v(9)) is true iff to is the minimum duration 
of runs of Rj. This formula is equal to u t A \i x A fig such that fit is of the form t = a or 
t = a — x, fi x is an x-conjunction and fig is a 9 -conjunction. 

Proof. In this proof, we have to describe the minimum duration by the variable t and the 
constraints on it by fi x and fig. 
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Let Li = {e}, then Min^t, x, Q) is equal to (t = 0) A (x = 0) if q is a reset-state, and 
(t = 0) A l((7)(x,0) otherwise. Let Lj = with 6j G B. Then looking at the form of 
\\, the minimum duration equals a (a — x resp.) (see (|4.14p and the sentence just before). 
Therefore formula Min^i, x,Q) is equal to 

(t = a) A (/\ a < (3 - x) A X x A A| (4.15) 

( (£ = « - x ) A {f\ a < /?) A \ x A A^ resp.) 

P 

Suppose L{ = bi ■ Ki. Let us begin to construct formula Min^(i, &) the form of which 
will be fit A fig. If -?Q = with bi £ Br, then Min^t, 0) equals (|4.15p with x replaced 
by 0. If Ki = K ■ K', then the minimum duration in Ki equals the sum of the minimum 
durations in K and K . Hence, if Minx(i, ©) = (t = a) A fig and Min^' = (t = a') A fi'g, 
then Min^^, 0) is equal to {t = a + a') A fig A fi' s . If Ki = K + , then the minimum 
duration in Ki is the minimum duration in K, i.e. Minx 4 (i,0) = Min^(t,0). Let us 
come back to Li = bi ■ Ki. Let Min{ b .j.(t, x, 6) be equal to (|4.15p and Minx^t, O) be equal 
(t = a') A fig. Then Min^^t, 0) is equal to (t = a + a') A (/^ a < P - x) A A^. A \ l e A /ie 
(resp. (t = a + a' - x) A (/^ a < /3) A A^. A A^ A fig) . □ 

In the next lemma, we are going to construct a formula Max^i, x,Q) that describes 
the maximum duration t in Lj. Note that durations t in Lj can be arbitrarily large (see 
Lemma I4.10p . We will thus denote symbolically by t = oo the (non existing) maximum 
duration. 

Lemma 4.12. One can construct a formula Max^t, x, 6?) such that for any valuation v 
and any clock value xq, Maxi^to, xq, v(8)) is true iff to is the maximum duration of runs 
of Rj . This formula is equal to a disjunction of formulae Mi A M x A Mg such that Mt is of 
the form t = a, t = a — x or t = oo, M x is an x- conjunction and Mg is a 6 -conjunction. 

Proof. If Li = {e}, then Max^ is (t = 0) A (x = 0) if q is a reset-state, and to (t = 
0) A \(q)(x,Q) otherwise. Let Lj = {bi} with bi € B. Let us study \\ and A< equal to 
l\a{t < (3 — x). If X l t is t = a, then Max L (t, x, G) equals \\ A A/?( Q < P — x) A \ x A \ l e . 
A similar formula holds when \\ equals t = a — x. If \\ is t = Q) > a with A< = T, then 
Max^(t,x,Q) equals (t = oo) A \ x A A^. Suppose that \\ is t = a ,> « with A< being a non 
empty conjunction f\p{t < (3 — x). Then the maximum duration is the greatest value a + ay, 
for some y € N, which is less than or equal to the smallest among the \3 — x's, denoted by 
f3' — x. Assume that 0' — x = b mod a and a = c mod a for some b, c £ {0, • • • , a — 1}. If 
b > c, then the maximum duration is given by formula Mt equal to t = (3' — x — (b — c) 
under the condition mg equal to t > a, i.e. (3' — x — (b — c) > a . If b < c, then Mt equals 
t = f3' — x — (a + b — c) under the condition mg equal to — x — (a + b — c) > a. Thus 
Maxi(i, x, Q) is a disjunction over the different possible values of (3\ b and c of formulae 

M t AmgAXgA Mp,^ bjC 

such that Mri & c is the conjunction 

(A < /?) A (/?' - x = Q) > 6) A (a = a ,> c). 
A similar argument can be done when \\ is t = a ,> a — x. 
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Let Li = hi ■ K{. Let us first construct Max^. This formula will contain no M x . If 
Ki = {bi} with hi G Br, then all the proof done before for Li = {hi} can be repeated 
with x replaced by 0. Suppose that Ki = K ■ K' and that Max^(t, 0) and Max^/(i,0) 
are a disjunction of formulae M t A Mg and M[ A M' g respectively. If M t = (t = a) and 
M[ = (t = a'), then Max^(t,0) contains the conjunction (t = a + a') A Mg A M' B . If 
Mt = (t = oo) or Mi = (t = oo), then Max^(i,0) contains the conjunction (t = oo) A 
Mg A ML Suppose that Ki = K + , then the maximum duration equals oo if L contains 
a non null duration (see Lemma l4.9p . and otherwise. Thus Max^(t, 0) is the formula 
((t = oo)ANonNuhV(0))V((> = O)A^NonNull^(0)). Formula Max Lt (t, x, 0) for Lj = b v Ki 
can be easily constructed (as done before for K ■ K'). □ 

Proof, (of Proposition I3.9p . Let us prove that one can construct a B^e formula Run q (x, 0) 
such that for any valuation v and any clock value Xq, Run q (xo, v(Q)) is true iff there exists 
an infinite run in A v starting with (q, xq). Such a run exists iff for some q' G Q, there 
exist runs in R qtq /(A V ,xq) with arbitrarily large durations. As R q ^ q i(A v , xq) = \J i Rj, this is 
equivalent to say that some Rj contains runs with arbitrarily large durations. By Lemma 
14.101 it follows that formula Run ? (x, 0) is equal to Vo'eQ Vi NonZenoL a (x, 0). □ 

Proof, (of Proposition 13.10"]) . Let 7 be a linear term and ~ 6 {<,<,>,>}. We have to 
show that there exists a B X] e formula Duration^, (x, 0) such that for any valuation v and 
any clock value xo, Duration^, (xq, v(Q)) is true iff there exists a run in R q q /(A V , xo) with 
duration t ~ ^(7). 

(1) We begin with ~ G {<, <}. To test if there exists a run in R^^A", xq) with duration 
t ~ v (7) is equivalent to test that i m j n ~ ^(7) with t m i n being the minimum duration of 
runs in R q „>(A v , xq). By Lemma 14.11] the minimum duration for each R, is expressed by 
formula Min^. (t, x,Q). This formula is of the form \xt A fi x A fig with fit equal to t = a or 
t = a — x. Therefore Duration^, (x, 0) is equal to Vi Duration^ , where each Duration^ is 
obtained by modifying Min^ as follows: any formula fit equal to t = a (t = a — x resp.) is 
replaced by formula a~7 (a — 2; ~ 7 resp.). 

(2) We now turn to ~ G {>, >}. The approach is similar but with the maximum (instead 
of minimum) duration. By Lemma 14.121 the maximum duration for each Rj is expressed 
by formula Max^t, x, 0). This formula is a disjunction of formulae Mt A M x A Mg with 
M t equal to t = a, t = a — x or t = 00. It follows that Duration^, (x, 0) is equal to 
Vi Duration^, where each Duration^ is obtained by modifying Max^ in the following way. 
If Mt equals t = a, t = a — x or t = 00, then it is replaced by formula a~7, a — 3; ~ 7 or 
T respectively. □ 



5. Conclusion 

In this paper, we have completely studied the model-checking problem and the parame- 
ter synthesis problem of the logic PTCTL, an extension of TCTL with parameters, over one 
parametric clock discrete-timed automata. On the negative side, we showed that the model- 
checking problem is undecidable. The undecidability result needs equality in the logic. On 
the positive side, we showed that for the fragment F-PTCTL where the equality is not al- 
lowed, the model-checking problem becomes decidable and the parameter synthesis problem 
is solvable. Our algorithm is based on automata theoretic principles and an extension of 
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our method (see [5]) to express durations of runs of a timed automaton using Presburger 
arithmetic. With this approach, the model-checking problem and the parameter synthesis 
problem are syntactically translated into Presburger arithmetic which has a decidable the- 
ory and an effective quantifier elimination. The model checking problem is translated into 
a Presburger sentence inside which the Presburger decidability process looks for semantic 
inconsistencies between the parameters and the parametric clock. The parameter synthesis 
problem asks for which values of the parameters is a F-PTCTL formula true at a given 
configuration of the timed automaton. Thanks to Presburger quantifier elimination, this 
problem is solved by expressing the values of the parameters in terms of the operations +, 
< and = moda, a £ N + . 

To the best of our knowledge, this is the first work that studies the model-checking 
and parameter synthesis problems with parameters both in the model (timed automaton) 
and in the property (PTCTL formula). The problems solved in this paper are important 
as it is very natural to refer in the properties of the system to parameters appearing in the 
model of the system. We illustrated in the introduction the kind of properties that can be 
expressed and automatically verified in our framework. 

Future works could be the following ones. A first work is to give the precise borde- 
line between decidability and undecidability. Is the model-checking decidable for the logic 
PTCTL such that equality is forbidden in the operators 3U^ Q and VU^ a ? No complexities 
issues are given in this paper and only the discrete time is considered. Presburger theory 
is decidable with the high 3ExpTime complexity. More efficient algorithms should be de- 
signed for particular fragments of F-PTCTL. The extension to dense timed models of the 
method proposed in this paper should be investigated. 
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